Exploit Exercises Nebula 5: Level 09 Write Up

Exploit Exercises Nebula 5: Level 09 Write Up

Level: https://exploit-exercises.com/nebula/level09/

There’s a C setuid wrapper for some vulnerable PHP code…

To do this level, log in as the level09 account with the password level09. Files for this level can be found in /home/flag09.

$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);

Using the e modifier is dangerous and has been removed as of PHP 7.0.0. It allows PHP code in the second argument.

There is a $useme parameter which might come in handy.

So what happens is you pass it a file and it looks for [email test@example.com] then replaces it with the output of spam(“test@example.com”) eg. test AT example dot com

We need to use the Complex Syntax to allow evaluation of our own code in double quotes.

Put this in a file:
[email {${shell_exec($use_me)}}]

This works because the outside curly brackets say give the contents of a variable/method/has to start with $, which is why we need the inner ${} to act as a variable.

{${shell_exec($use_me)}} means, give the contents of ${shell_exec($use_me)} which in turn means use the contents of a variable named by the output of shell_exec($use_me). We don’t care about the output we just want to run getflag

Then run:

/home/flag09/flag09 /home/level09/ourfile getflag

getflag is passed to $use_me

Which means…

You have successfully executed getflag on a target account.

Leave a Reply

Your email address will not be published. Required fields are marked *